A public key infrastructure (PKI) is an arrangement that binds a public key with a user identity by means of a digital certificate issued by a certificate authority. A certificate authority is a trusted entity which issues digital certificates for use by other parties. A digital certificate includes a public key and the identity of the owner of the public key. By signing the certificate, the certificate authority attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate.
During the operation of a PKI system, some of the issued certificates may be revoked for various reasons, e.g., the private-key corresponding to the public key has been compromised, or the entity identified in the certificate fails to adhere to a policy required by the certificate authority. A certificate revocation list is a list of certificates which have been revoked, are no longer valid, and should not be relied upon by any system user. Typically, the certificate revocation list uses the serial numbers of the revoked certificates as identifiers.
When a certificate is revoked, the private key corresponding to the public key in the certificate can no longer be used by the certificate owner to sign any documents. That is, certificate revocation affects all uses of the private key on all documents. If the certificate revocation is effective at a specific time, all uses of the private key on all documents after the specific time are revoked. Certificate revocation does not address the situation in which a single use of the private key on a document is invalid while the private key and the document are both valid. Once a certificate is revoked, the owner cannot use the certificate for signing any document, even though the private key is still valid with respect to signing some selective documents.